Posted: Tue 20 May 2008, 21:35 Post_subject:
Why does Puppy run in root?

I've been using Ubuntu for a year now, and am thinking to slim down to something smaller and faster for my older laptop. Puppy is definitely one of my top choices, but I am wondering why it runs in root? Sounds sort of risky and unnecessary. Is there some benefit to doing it this way?

The site you refer me to assumes that the user is booting from a livecd every time they use puppy linux: "As long as Puppy starts from CD-ROM (and is not installed on the harddrive) the program-files and system-files are secure." Well, what if one is planning to install puppy on the hard drive, as I am? Is it then dangerous and insecure? I tried a few key words in the search window-- like "root", "user", "security", but did not find out anything further on this topic. If one is going to use puppy, is it preferable to boot always from cd or external medium? I would find this rather inconvenient I think. I would like to have a distro which I can install on my hard drive.

Disclaimer: I'm all for having better multi-user support in Puppy, so long as it isn't forced on the user.

Swarup, you posted while I was typing. I'm not going to go through and fix my post to take into account yours and MU's. Instead, I'll just address it now and then leave my original post unchanged following it.

If you boot puppy with the puppy pfix=ram option, it will boot up completely pristine, as though you had never run it on that computer before. Otherwise, Puppy will look to see if you have a pup_save.2fs file, which you can opt to create when you first reboot. If it detects one, it will load it. All changes you make will be stored in that file, including changed system files. Next boot those changed files will be loaded, unless you use the pfix=ram option. So if you get compromised, you can boot with pfix=ram and make a new save file. You can even mount the old one and extract important data, so long as you're careful to check that it's non-compromised data (or clean it up if it isn't).

This applies to Live-CD, Frugal-HD, and USB installs. Full-HD installs are different (and no more "full" either, just words...) Full-HD installs work just like you'd expect a normal distro to work. You can't make them not save, and if they are compromised you must either restore a backup, repair the individual errors, or reinstall from scratch. They also won't load the original files into RAM, making access times slightly worse for most people (but probably not very noticeable). Some people will point out that they also offer better RAM usage because of this, but that is not always true. Since Puppy 4, a Frugal install can be given the pfix=noram option, which will mount the pup_xxx.sfs file from the harddrive. So that negates the faster access times, but allows you to function in a low-ram machine. The same thing will automatically happen in ANY Puppy if Puppy determines that you don't have enough ram to load the pup_xxx.sfs file into it and still have some left over for working.

Original post:
That page Lobster linked to is misleading. It makes it appear that, under normal usage conditions, the core programs will be pristine with every boot. This is not so. The original copy of those programs remains pristine, but if you have a pup_save.2fs file (which the vast majority of users will have) then any compromised system files will be saved in that and loaded over the originals each boot. Booting with puppy pfix=ram will of course allow you to boot into a completely pristine and almost certainly uncompromised Puppy, but the rest of the time you face just as much risk of having compromised system files as you do running as root in another distro.

A difference from other distros is that Puppy is much much easier to reinstall. And you have to remember, whether you run as root or not, your personal data is equally vulnerable.

Thus, if one remains vigilant to ensure that nothing has been compromised, Puppy will be little different from any other distro. You can argue that you don't need to be so vigilant in others, but you actually do. If someone doesn't keep an eye on the files their non-root user owns to make sure they are clean, yet complain that running as root is insecure, he/she is a moron. A hacker has an easier time if they have access to root, but there's still a good amount they can do from a limited account. Example: they simply use you as a carrier by sticking a windows virus into that email you're sending to your family, who has yet to convert to Linux... A limited user probably has enough permissions to become a zombie, albeit only when that user is logged in (which for a single-user machine will be most of the time). Then there's the ID-theft aspect, since they have access to all your personal data.

I don't deny that a limited user is more secure than root, but not by enough to worry about it in Puppy. In other distros that take longer to repair this may not be the case. Get compromised in Puppy? Just drop your pup_save.2fs file and start a new one. You can mount the old file and retrieve any needed data (thoroughly cleaning it first of course) and be on your feet just as fast as somebody who had to drop a limited user in a big distro. Sure, your system files were compromised, unlike theirs, but by scrapping the old pup_save.2fs file you are granted completely pristine files.

So to me, the only valid complaints are with respect to actual MULTI-USER situations. Sharing with a family for example. Puppy does have some support for this (every person can have his/her own optionally encrypted pup_save file), but it isn't as nice as true multi-user. On some ways it's superior though (each user is much more isolated - they all get to be "root" of their own little worlds). The biggest sore point is that they all have permission to simply delete another person's save file, even if they can't mount it (due to encryption). Of course, limited users don't prevent people from booting via live-cd and wiping everything out either, unless you set up your bios properly and then lock up the case...

One thing to note: the pup_save.2fs and pristine files related things are not relevant for a Full-Install. For those, if you are compromised you won't be able to just drop your pup_save.2fs file because you won't have one. You'll have to either restore a backup or reinstall Puppy. Fortunately, Puppy is a pretty fast install even for a Full-Install. Only ~200 MB. Full-Install users also won't get the nifty encrypted save file deal, making literal multi-user capability very weak.

Sorry for the slightly fragmented post, and for the repetition that I think I had._________________Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Thus, if one remains vigilant to ensure that nothing has been compromised

Quote:

If someone doesn't keep an eye on the files their non-root user owns to make sure they are clean,

Quote:

so long as you're careful to check that it's non-compromised data (or clean it up if it isn't)

.
I am curious as to how these are actually done? Also, do you know whether there have been reports in this forum (or elsewhere?) that someone has been compromised in Puppy and what actually happened? (ie not where there is external access, like the websites getting hacked, but just a normal computer running a firewall and no remote access functions) I've googled/searched, but I don't find anything very specific.

I've been using Ubuntu for a year now, and am thinking to slim down to something smaller and faster for my older laptop. Puppy is definitely one of my top choices, but I am wondering why it runs in root? Sounds sort of risky and unnecessary. Is there some benefit to doing it this way?

The main benefit of Puppy running as root is ease of use, it is crafted to be small and fast and easy for people who are used to running Windows to use. I think it achieved that.

Your question seems somewhat strange to me as the *buntus give the user "ALL" permissions in sudo. Making it about the same as Puppy except in Puppy you don't have to type sudo along with a command. I think they chose to go the "sudo" way for reasons similar to Puppy's. Consequently, from a security point of view, they are pretty much the same. Except, with Puppy you can choose no persistence so next boot you again have a pristine system even if you were compromised on the previous boot.

Thanks for all the info from everyone on this point. I think the most forceful point for me is that puppy is so small and easy to install, that if something happens it really doesn't matter. --Just reinstall puppy. I'll be keeping a separate data partition anyway. So my concerns for now are quelled. I shall go ahead and install puppy, and see what fun comes my way!

I'm going to get a bit philosophical here. There's a big difference between something that could plausibly happen in certain circumstances, and what actually does happen (or has happened) in the real world. I notice that a lot of people get the two confused.

As I see it, Puppy has been around long enough for there to be a body of real-world experience on the safety/danger of running as root.

I figure that, if running as root were as hazardous as we've been told, Puppy forums would be full of messages about compromised systems - far more than on, say, Ubuntu forums. And as far as I can tell, that's not happening.

I'm going to get a bit philosophical here. There's a big difference between something that could plausibly happen in certain circumstances, and what actually does happen (or has happened) in the real world. I notice that a lot of people get the two confused.

As I see it, Puppy has been around long enough for there to be a body of real-world experience on the safety/danger of running as root.

I figure that, if running as root were as hazardous as we've been told, Puppy forums would be full of messages about compromised systems - far more than on, say, Ubuntu forums. And as far as I can tell, that's not happening.

So I'm quite comfortable to go on running as root.

Makes a lot of sense to me. Why go on yelling "fire, fire!" when there isn't even any smoke? People on the Ubuntu forums will always warn you not to work unnecessarily in root because of the inherent dangers involved in doing so. Well, like you say-- why isn't this puppy forum filled with cries of anguish about what happened all these years with thousands of people working continuously in root?

The main danger for the user running as root is the user him/herself. You are far more likely to screw up your own system than have someone hack you and screw up your system. Also, as has been said here, most non-root distros give you sudo. If your non-root account gets compromised, the hacker then types sudo+evil_command and does whatever s/he wants.

The use of sudo only makes the user think twice before doing something stupid, it does nothing to stop the hacker.

As an aside, is anyone else noticing the large amount of interest in the security of running as root?_________________Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath